foodogsquared/website
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/website.git synced 2025-01-31 22:58:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
89c9114a27
website/content/posts/2023-02-26-my-experience-managing-a-cloud-hosted-server-with-nixos/assets/modified-coredns-service.nix

47 lines
1.5 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
inherit (config.networking) domain;
domainZoneFile = ./config/coredns/${domain}.zone;
domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
dnsDomainName = "ns1.${domain}";
corednsServiceName = "coredns";
in
{
# Generating a certificate for the DNS-over-TLS feature.
security.acme.certs."${dnsDomainName}".postRun = ''
systemctl restart ${corednsServiceName}.service
'';
services.coredns.config = ''
tls://. {
tls {$CREDENTIALS_DIRECTORY}/cert.pem {$CREDENTIALS_DIRECTORY}/key.pem {$CREDENTIALS_DIRECTORY}/fullchain.pem
forward . /etc/resolv.conf
}
'';
systemd.services.${corednsServiceName} = {
requires = [ "acme-finished-${dnsDomainName}.target" ];
preStart =
let
secretsPath = path: config.sops.secrets."plover/${path}".path;
replaceSecretBin = "${lib.getBin pkgs.replace-secret}/bin/replace-secret";
in
lib.mkBefore ''
install -Dm0644 ${domainZoneFile} ${domainZoneFile'}
${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${domainZoneFile'}'
${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${domainZoneFile'}'
'';
serviceConfig.LoadCredential = let
certDirectory = config.security.acme.certs."${dnsDomainName}".directory;
in
[
"cert.pem:${certDirectory}/cert.pem"
"key.pem:${certDirectory}/key.pem"
"fullchain.pem:${certDirectory}/fullchain.pem"
];
};
}
Reference in New Issue View Git Blame Copy Permalink